Skip to content

build(pnpm): migrate to pnpm 11 + add minimumReleaseAge + pin Node 22#165

Merged
EricAndrechek merged 3 commits into
mainfrom
issue-160
May 19, 2026
Merged

build(pnpm): migrate to pnpm 11 + add minimumReleaseAge + pin Node 22#165
EricAndrechek merged 3 commits into
mainfrom
issue-160

Conversation

@EricAndrechek

@EricAndrechek EricAndrechek commented May 19, 2026

Copy link
Copy Markdown
Member

Closes #160.

Summary

  • All three TS workspaces (clients/ts, tests/e2e/sdk, docs) plus the setup-env composite action jump from pnpm@10.33.0pnpm@11.1.3.
  • pnpm 11 deprecates the pnpm field in package.jsononlyBuiltDependencies moves into a new pnpm-workspace.yaml next to each package.json and is renamed to allowBuilds: with the new map-of-booleans syntax.
  • Same pnpm-workspace.yaml files set minimumReleaseAge: 10080 (7 days) so pnpm refuses freshly published packages until npm/jsr have had a week to flag a compromised release.
  • New repo-root .nvmrc pins Node 22 LTS — matches what CI's setup-node already uses, and reduces Node-major-surprise risk on nvm/fnm/volta dev machines.
  • README, AGENTS.md, and docs/development.md updated for the new versions.

Notes from investigation

The issue flagged two open questions; here's where I landed on each:

  • electron-winstaller mystery. Not a hidden transitive of any WaveHouse workspace. The pnpm 11 ignored-build warning came from a stray /Users/eric/pnpm-workspace.yaml in the local dev's home directory — pnpm 11 walks up the directory tree looking for a workspace root and found it before the in-repo one. Correctly omitted from allowBuilds. (Future devs hitting this should clean up their home dir or rename their stray workspace file.)
  • Node 26 Vitest crash. I could not reproduce it on the current branch — make test-sdk runs all 120 tests cleanly on Node 26. The earlier clients/ts bump to vitest@^4.1.6 (PR deps(sdk): bump the sdk-deps group in /clients/ts with 2 updates #103) seems to have already absorbed the V8 incompatibility. I still added the .nvmrc per the issue's request, since pinning has independent value and the cost is one line.

Test plan

  • make build-sdk — green
  • make build-docs — green
  • make test-sdk — 120/120 passed on Node 26 + pnpm 11
  • pnpm install --frozen-lockfile clean in all three workspaces (CI's path)
  • CI green on this PR (full make ci including make test-e2e which needs the containerized ClickHouse + wavehouse binary)
  • Re-validate PR chore: claude code native improvements #147's pre-push gate flow once this lands, per the issue's "Related" section

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores

    • Updated pnpm to 11.1.3 and pinned Node.js to 22 LTS across the repo.
    • Added/updated per-workspace pnpm settings to allow native build steps and enforce a 7-day minimum release age for packages.
  • Documentation

    • Updated README, development guide, and prerequisites docs to reflect Node.js 22 LTS and pnpm 11.1.3 requirements and verification instructions.

Review Change Stack

Closes #160. Three TS workspaces (clients/ts, tests/e2e/sdk, docs) and
the setup-env composite action all jump from pnpm 10.33 to 11.1.3.

pnpm 11 deprecates the `pnpm` field in package.json — `onlyBuiltDependencies`
moved into a `pnpm-workspace.yaml` next to each package.json, renamed to
`allowBuilds:` with the new map-of-booleans syntax. Same files hold a
7-day `minimumReleaseAge` (10080 minutes), so pnpm refuses freshly
published packages until npm/jsr have had a week to flag a compromise.

Node 22 is pinned via a new repo-root `.nvmrc` to match what CI's
`setup-node` already uses. The issue flagged Node 26 crashing Vitest
with a V8 abort; that's no longer reproducible after the recent
vitest@^4 bump in clients/ts, but the pin still avoids Node-major
surprises and gives `nvm`/`fnm`/`volta` users a one-shot version pick.

Note on `electron-winstaller`: the issue's open question about whether
it was a hidden transitive — it isn't. The warning came from a stray
`/Users/eric/pnpm-workspace.yaml` in the local dev's home directory
(pnpm 11 walks up looking for a workspace root). Not a WaveHouse dep,
correctly omitted from `allowBuilds`.

Verified:
  - make build-sdk      green
  - make build-docs     green
  - make test-sdk       120/120 passed (Node 26 + pnpm 11 — no crash)
  - pnpm install --frozen-lockfile clean in all three workspaces
  - Pre-existing typecheck error in clients/ts/src/cli/codegen.ts
    (missing @types/node) is unrelated and reproduces on main.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@gemini-code-assist

Copy link
Copy Markdown

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request modernizes the project's package management infrastructure by upgrading to pnpm 11 and standardizing the development environment on Node 22 LTS. These changes improve security through release age restrictions and ensure consistency between local development environments and CI pipelines, while also updating documentation to reflect the new requirements.

Highlights

  • pnpm Upgrade: Migrated all workspaces and CI configuration from pnpm 10.33.0 to 11.1.3.
  • Configuration Migration: Moved pnpm-specific settings from package.json to new pnpm-workspace.yaml files, implementing the new allowBuilds syntax.
  • Security Hardening: Added a 7-day minimumReleaseAge to pnpm-workspace.yaml files to mitigate risks from compromised package releases.
  • Node.js Standardization: Pinned the development environment to Node 22 LTS using a new .nvmrc file at the repository root.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@github-actions github-actions Bot added documentation Improvements or additions to documentation dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code area/sdk TypeScript SDK (clients/ts/) area/docs Documentation, site/, README area/infra CI, build, deploy, Docker, release labels May 19, 2026
@github-actions github-actions Bot requested a review from taitelee May 19, 2026 14:06
@coderabbitai

coderabbitai Bot commented May 19, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: ff0500c1-80cd-40e5-a046-7bb73f43ef27

📥 Commits

Reviewing files that changed from the base of the PR and between 3418d84 and 447eb03.

📒 Files selected for processing (3)
  • CHANGELOG.md
  • README.md
  • docs/package.json

📝 Walkthrough

Walkthrough

Pin Node.js to v22 LTS and migrate pnpm from 10.33.0 to 11.1.3 across CI and manifests; replace package-level pnpm build settings with workspace-level pnpm-workspace.yaml files (allowBuilds/minimumReleaseAge) and update developer docs and changelog to match.

Changes

Tooling Version Upgrade and Configuration

Layer / File(s) Summary
Node.js and pnpm version pins
.nvmrc, .github/actions/setup-env/action.yml, clients/ts/package.json, docs/package.json, tests/e2e/sdk/package.json
Node.js is pinned to v22 LTS via .nvmrc, and pnpm is updated to 11.1.3 in the CI composite action and packageManager fields.
pnpm 11 workspace configuration migration
clients/ts/package.json, clients/ts/pnpm-workspace.yaml, docs/package.json, docs/pnpm-workspace.yaml, tests/e2e/sdk/package.json, tests/e2e/sdk/pnpm-workspace.yaml
Removed pnpm.onlyBuiltDependencies from package.json files and introduced pnpm-workspace.yaml configs with allowBuilds (enabling esbuild, plus sharp/workerd in docs) and minimumReleaseAge: 10080.
Developer documentation and changelog updates
README.md, AGENTS.md, docs/src/content/docs/development.md, CHANGELOG.md
Updated local development prerequisites and verification snippets to require Node.js 22 LTS (pinned via .nvmrc) and pnpm 11.1+, and added changelog/security note about minimumReleaseAge.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

Suggested reviewers

  • taitelee

"I’m a rabbit tapping keys in line,
Bumped pnpm and pinned Node fine.
Workspaces set, changelog sings,
Safe installs and tidy things. 🐰"

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately and concisely summarizes the main changes: pnpm migration to v11, addition of minimumReleaseAge security setting, and Node 22 pinning via .nvmrc.
Linked Issues check ✅ Passed All primary coding objectives from issue #160 are met: pnpm 11 migration complete across all three workspaces, minimumReleaseAge added, Node 22 pinned via .nvmrc, build configs migrated to pnpm-workspace.yaml, and all test targets pass (make build-sdk, build-docs, test-sdk 120/120).
Out of Scope Changes check ✅ Passed All changes are directly aligned with issue #160 scope: pnpm version bumps, workspace configuration migrations, Node version pinning, documentation updates, and changelog entries. No unrelated modifications detected.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch issue-160

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-project-automation github-project-automation Bot moved this from Backlog to In progress in WaveHouse Task Board May 19, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request upgrades the project's development environment to Node.js 22 LTS and pnpm 11.1.3, which includes migrating build configurations to new pnpm-workspace.yaml files and implementing a minimum release age security policy. Feedback identifies a missing mandatory update to the CHANGELOG.md and suggests automating the synchronization of security settings across the various workspace files to prevent manual maintenance errors.

Comment thread AGENTS.md
Comment thread docs/pnpm-workspace.yaml
Comment thread docs/package.json Outdated
@claude

claude Bot commented May 19, 2026

Copy link
Copy Markdown

1 [SHOULD], 0 [MUST], 0 [MAY].

See the inline thread for detail.

Missing doc-sync [SHOULD]: CHANGELOG.md has an ## Unreleased section but this PR doesn't add an entry. Per AGENTS.md's sync table, any notable change belongs there. A pnpm major-version bump that introduces new security semantics (minimumReleaseAge) and closes issue #160 clearly qualifies. Add a bullet under ### Changed (or ### Security given the minimumReleaseAge addition).


Iterate — fix the engines.node inconsistency and add the CHANGELOG entry; both are one-liners.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Line 119: Update the README's prerequisite sentence that currently reads "pnpm
11+" to match the rest of the docs and CI by specifying "pnpm 11.1+" (consistent
with docs/development.md and the CI pin at 11.1.3); locate the phrase in the
README sentence that lists prerequisites (the clause containing "Node.js 22 LTS
(pinned via `.nvmrc`, matches CI), and pnpm 11+") and replace the pnpm minimum
version to "11.1+" so all documentation and CI requirements are aligned.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 07e17ae1-6c24-433d-93b1-f2fe07ba9d51

📥 Commits

Reviewing files that changed from the base of the PR and between fb983e2 and 3418d84.

📒 Files selected for processing (3)
  • AGENTS.md
  • README.md
  • docs/src/content/docs/development.md

Comment thread README.md Outdated
@github-project-automation github-project-automation Bot moved this from In progress to In review in WaveHouse Task Board May 19, 2026
Comment thread docs/package.json Outdated
@claude

claude Bot commented May 19, 2026

Copy link
Copy Markdown

1 [SHOULD], 1 [SHOULD] (doc-sync), 0 [MUST] — see inline threads for detail.

The docs/package.json#engines.node fix has a one-line suggestion on the diff. The second [SHOULD] can't land as an inline thread because CHANGELOG.md wasn't touched in this PR:

[SHOULD] CHANGELOG.md has no entry for this change. AGENTS.md §"Documentation Sync" requires all notable changes under [Unreleased]. The pnpm 11 major-version bump plus the new minimumReleaseAge: 10080 supply-chain gate clear the "notable" bar — contributors who run pnpm install will see changed behavior. A prior review run on this PR already flagged this; the thread is still unresolved. Please add a bullet under ### Changed (or a new ### Security subsection) covering: pnpm 10 → 11 migration, .nvmrc addition, and the 7-day release-age gate.


Iterate — two one-liners before merge: bump engines.node to >=22.0 and add a CHANGELOG entry.

…LOG)

Three one-liners from the PR review round:

  * docs/package.json#engines.node: >=20.0 → >=22.0 so corepack/volta
    flag local-dev mismatches before CI does (Claude SHOULD).
  * README.md: "pnpm 11+" → "pnpm 11.1+" — consistent with
    AGENTS.md/development.md and the 11.1.3 CI pin (CodeRabbit minor).
  * CHANGELOG.md: add Unreleased entries under ### Changed (toolchain
    bump) and a new ### Security subsection (minimumReleaseAge)
    (Claude + Gemini doc-sync MUST/SHOULD).

The Gemini "automate minimumReleaseAge drift detection" suggestion is
deliberately declined — three sibling files, all surfaced in any PR
diff that touches them; the cost of a Make/CI check exceeds the cost
of a one-line `grep minimumReleaseAge */pnpm-workspace.yaml` during
review.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-project-automation github-project-automation Bot moved this from In review to In progress in WaveHouse Task Board May 19, 2026
@EricAndrechek

Copy link
Copy Markdown
Member Author

Review round-trip summary (commit 447eb03):

Fixed:

  • docs/package.json#engines.node: >=20.0>=22.0 (Claude SHOULD, both inline threads).
  • README.md line 119: pnpm 11+pnpm 11.1+ (CodeRabbit minor).
  • CHANGELOG.md: added ## Unreleased entries under ### Changed for the toolchain bump and a new ### Security subsection for minimumReleaseAge (Gemini MUST + Claude SHOULD).

Declined (with reasoning in-thread):

All 5 inline threads resolved. @claude @gemini-code-assist @coderabbitai thanks for the round-trip.

@coderabbitai

coderabbitai Bot commented May 19, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

@EricAndrechek Thanks for the thorough round-trip summary! Appreciate the clear accounting of what was fixed vs. declined and the reasoning behind each decision.

The README fix (pnpm 11+pnpm 11.1+) is confirmed addressed. The rationale for declining the drift-detection CI step is sound — for three co-located files where the drift cost is a single integer, PR review + a targeted grep is proportionate overhead for the scope of #160.

The PR looks clean from my side. Happy reviewing! 🐇✨

@gemini-code-assist

Copy link
Copy Markdown

@EricAndrechek Thanks for the comprehensive summary of the resolution steps taken. It is great to see the toolchain migration, security hardening, and documentation updates all finalized and aligned with the project's requirements. The rationale for declining the drift-detection CI step is well-reasoned given the project's current structure. This PR is in excellent shape. Happy merging! 🚀

@claude

claude Bot commented May 19, 2026

Copy link
Copy Markdown

0 [MUST], 0 [SHOULD], 0 [MAY] — no inline findings.

Both prior threads (missing CHANGELOG entry, docs/package.json#engines.node at 20 instead of 22) are resolved in the latest commit. Nothing new to flag: the onlyBuiltDependenciesallowBuilds migration is structurally correct for every workspace, the per-workspace pnpm-workspace.yaml pattern correctly shadows any ancestor workspace file (which explains the electron-winstaller ghost), and minimumReleaseAge: 10080 (7 days in minutes) is a meaningful supply chain improvement with a clear override path documented in-file.

Ship it — all review threads closed, CI gate is the only remaining checkpoint.

@EricAndrechek EricAndrechek enabled auto-merge (squash) May 19, 2026 14:31

@taitelee taitelee left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep. Only see minimumReleaseAge changes and pnpm updates. Looks good to me.

@EricAndrechek EricAndrechek merged commit b96f921 into main May 19, 2026
18 checks passed
@EricAndrechek EricAndrechek deleted the issue-160 branch May 19, 2026 14:56
@github-project-automation github-project-automation Bot moved this from In progress to Done in WaveHouse Task Board May 19, 2026
@coderabbitai coderabbitai Bot mentioned this pull request May 26, 2026
13 tasks
EricAndrechek added a commit that referenced this pull request May 27, 2026
## Summary

A large (hopefully final, apart from potentially a separate PR for
content refactoring/touch-ups/restructuring) PR to lay the groundwork
for all the docs/website stuff needed before going live.

## Plan

- [x] Additional icons, opengraph meta, meta tags, etc needed –
specifically twitter card and confirming og tags are all there properly
- [x] ~~pnpm workspace or something? Started in #165 but need to finish
as dependabot becomes simpler and pnpm/node versions with various
subpackages in this monorepo allowing different versions in each becomes
painful – this fixes that.~~ (Unsure if we want yet or not, deferring
until later/after alpha release)

## Related Issues:

- [ ] closes #148 
- [x] closes #156 (should have been closed already by #142)
- [x] closes #154 
- [x] closes #155
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/docs Documentation, site/, README area/infra CI, build, deploy, Docker, release area/sdk TypeScript SDK (clients/ts/) dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation github_actions Pull requests that update GitHub Actions code

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

Migrate to pnpm 11 + set min release age for dependencies

2 participants